Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of May 2017

New Detection Technique - APT32

APT32 (aka the OceanLotus Group) is a cyber espionage group identified by FireEye who has recently been seen targeting and carrying out intrusions into private sector companies across multiple industries in southeast Asia, particularly Vietnamese interests. APT32 has also targeted foreign governments, dissidents, and journalists, and have been utilizing a unique suite of fully-featured malware. FireEye believes the actor poses significant risk to companies doing business in, or preparing to invest in, Vietnam.

We've added IDS signatures and the following correlation rules to detect this activity:

System Compromise, Targeted Malware, APT32

System Compromise, Targeted Malware, Komprogo

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

System Compromise, Ransomware infection, UIWIX

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

System Compromise, Ransomware infection, Cerber

System Compromise, Ransomware infection, Mole

System Compromise, Ransomware infection, Spora

New Detection Techniques

We've added the following correlation rules as a result of recent exploit and malicious activity:

System Compromise, Trojan infection, BigKlim

System Compromise, Trojan infection, Ibashade

Updated Detection Technique - Samba RCE Attempt (CVE-2017-7494)

A vulnerability in Samba software was disclosed. The vulnerability allows a user to upload a shared library to a writeable share on a vulnerable Samba server, and then cause the server to execute the uploaded file. This would allow an attacker to upload an exploit payload to a writeable Samba share, resulting in code execution on any server running an affected version of the Samba package. This vulnerability currently affects all versions of Samba 3.5.0 and later.

We've added IDS signatures and updated the following correlation rule to detect this activity:

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

System Compromise, C&C Communication, ZLoader SSL activity

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28. ATP28 continues to be active today. As described in a blog post, "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."